Cloud and Blockchain in Life Sciences
The digital revolution will transform how Pharma companies work in the future. ARCONDIS experts share their knowledge about opportunities and risks associated with Cloud and Blockchain technology.
The digital revolution sweeping into the pharmaceutical world does already have impact on the pharma sector. Though, many pharmaceutical companies struggle in adapting to the innovation and technologies. Here we would like to give our understanding of cloud computing and the blockchain technology.
Cloud Computing is undergoing a period of growth within the pharmaceutical field. Key characteristics of work operations are radically different by using cloud applications . Especially, the crisis of COVID-19 demonstrates the essential need for resources and access, regardless of location and time. Nevertheless, risks are related to several factors, e.g. data location, loss of governance. As a result of many successful cloud projects with our clients, we gladly share our knowledge to inform about the risks posed to your business.
Clouds are classified by service levels (Software-As-A-Service; Platform-As-A-Service, and Infrastructure-As-A-Serice), by types of hosting (internal, external) as well as by models of deployment (public, private, and hybrid cloud). It has to be considered that risks differs depending on the type of the used cloud . Having this in mind, common risks between all cloud types are explained briefly in the following.
At the beginning of outsourcing applications to cloud, the potential impact for quality guidelines and regulations shall be defined. Applications may include, but are not limited to: customer relationship management (CRM), enterprise resource planning (ERP), laboratory management software (LIMS), and document management systems (DMS).
Compliance risks need to be clearly addressed as pharma security and regulatory requirements are not understood by most cloud service providers. Quality guidelines and regulations could be consulted as listed exemplary:
- Cloud Computing Compliance Controls Catalogue – Federal Office for Information Security
- Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 – Cloud Security Alliance
- EudraLex GMP Guidelines, Chapter 4 and Chapter 7 – European Commission
- Information technology - ISO/IEC 27001
- Information security for supplier relationships – ISO/IEC 27036
- Code of practice for information security controls – ISO/IEC 27017
- Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors – ISO/IEC 27018
- Good Practices for Data Management and Integrity in regulated GMP/GDP Environments – PI 041-1
In addition, outsourced activities have to be under control and thus vendor audits are necessary. Data and service level agreements are important in their stated legal, compliance and security risks. Cloud vendors – especially in SaaS – shall demonstrate that measures are in place to prevent losing and damaging data or impeding access to sensitive/valuable information. Business continuity shall be ensured and therefore data recovery guaranteed. Also the control of the cloud provider over logs and documentation has to be requested to determine security incidents within the operation. Risks concerning backup, encryption, access control, montitoring, physical/ logical security and human factors (e.g. training) shall be included in the agreements. Risk mitigation is achieved by conducting the incorporation of information security practices like :
- System and Organization Controls (SOC)
- International Standards Organization 27001, 27018, 27017 certification
- Sarbanes-Oxley (SOX)
Simultaneously, the risk of a cloud lock-in should be discussed from the beginning of the project. Limitations by moving between service provider must be considered as well as data transfer, application transfer and infrastructure risk addressed. After all, the dependency on suppliers and the loss of data control is not to be taken lightly.
Data migration risks are still underestimated in many enterprises. Migrated data remains usable, retains content and meaning only if audit trails, electronic signatures and metadata is left intact. Validation should include verification that data is not altered in value or meaning during migration processes.
Pharmaceutical companies must observe numerous legal requirements when using cloud solutions connected the patient or private data. The authorities of the country where the cloud is installed may have the access right to the resources hosted on this one since the laws of personal data protection change from one country to another one. Furthermore, confidential data might be compromised through access by foreign authorities (e.g. CLOUD act).
Taken together, cloud computing shows a high flexibility and cost reduction if risks assessed correctly .
The Blockchain, mostly implemented as a ‘Distributed Ledger’ cloud platform, allows users to store, process, share and manage any kind of information in decentralized way. Typically, the distributed database is publicly accessible, strongly encrypted, almost impossible to forge and most importantly shared by multiple participants. How do you bring together the terms ‘validation’ and ‘Blockchain’?
According to ISO 9000: 2015, the term “validation” is defined as the ‘confirmation through the provision of objective evidence that the requirements for a specific intended use or application have been fulfilled’. The Blockchain, mostly implemented as a ‘Distributed Ledger’ cloud platform, allows users to store, process, share and manage any kind of information in a decentralized way. Typically, the distributed database is publicly accessible, strongly encrypted, almost impossible to forge and most importantly, shared by multiple participants. How do you bring together the terms ‘validation’ and ‘Blockchain’?
In terms of its intended use, the Blockchain is primarily used within a complex system as a vehicle for storing data in a secure way. Therefore, the Blockchain is just one of the components in a system and validated as a component and not as a stand-alone system. Typically, other cloud-based components, such as wallets, are also part of the computer system. This necessitates a shift in approach when compared to ‘classical’ computer software validation (CSV). The focus of the validation shifts from system functionality to supplier control such as qualification and monitoring of suppliers. In addition, the qualification of interfaces between the system components and dealing with requirements such as long-term data accessibility (archiving) needs more attention in the validation. Additional risks must also be addressed, such as risks related to the lock-in with the Blockchain provider and the underlying technology.
As mentioned, one challenge is the consideration of the interfaces. Blockchains are normally operated by cloud providers or consortia, as are other components within the complex Blockchain-based system, such as wallets, which are also provided as cloud services. Behind these different system components are operators, who must be authenticated and monitored. Additionally, the components and their providers – including in-house services of the enterprise performing the validation - are strongly interconnected. This results in complex dependencies and interfaces that need to be managed on a daily basis.
The Blockchain technology creates transparency, verifiability and trust. However, considering the complexity and the challenges that arise for Blockchain validation in comparison with the classic CSV, the question should always be asked with regard to the intended use: Does the use of Blockchain technology provide benefits for the actual individual business case, considering the resulting shift in validation requirements and the associated risks? If distributed storage and the use of a trust factory is necessary, the resulting complexity, shift and risks have to justify it.
 I. C. Reinhardt, D. J. C. Oliveira, and D. D. T. Ring, “Current Perspectives on the Development of Industry 4.0 in the Pharmaceutical Sector,” J. Ind. Inf. Integr., vol. 18, p. 100131, 2020, doi: 10.1016/j.jii.2020.100131.
 M. Zbakh, M. Bakhouya, M. Essaaidi, and P. Manneback, Cloud computing and big data: Technologies and applications, vol. 30, no. 12. 2018.
 P. Da-cruz, Digitale Transformation von Dienstleistungen im Gesundheitswesen VII. 2020.